CVE-2025-62418

Опубликовано: 16 окт. 2025

Источник: nvd

CVSS3: 6.9

CVSS3: 4.8

EPSS Низкий

Описание

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. This vulnerability is fixed in 2.3.8.

Ссылки

https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346
Exploit
Vendor Advisory
https://github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:webkul:bagisto:2.3.7:*:*:*:*:*:*:*

EPSS

Процентиль: 16%

0.00051

Низкий

6.9 Medium

CVSS3

4.8 Medium

CVSS3

Дефекты

CWE-80

CWE-79

Связанные уязвимости

GHSA-fg89-g389-p346

CVSS3: 6.9

github

4 месяца назад

bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

EPSS

Процентиль: 16%

0.00051

Низкий

6.9 Medium

CVSS3

4.8 Medium

CVSS3

Дефекты

CWE-80

CWE-79